Provable Security Analysis for the Password
Authenticated Key Exchange Problem
Ph.D. Thesis Presentation
Presenter: M. Sc. Jose Becerra Supervisors: Prof. Peter Y. A. Ryan
Dr. Dimiter Ostrev May 14, 2019
Table of Contents 1. Introduction
Motivation and Research Objectives
2. Relation between SIM-based and IND-based security models 3. Forward Secrecy for SPAKE2
PFS-SPAKE2
4. Tight Security Reductions PAK Protocol
5. Summary
What is a PAKE
• Password Authenticated Key-Exchange protocol.
• Goal: Establishment of strong cryptographic session keys from low entropy secrets.
• Attacks should be limited toonlinedictionary attacksonly. • A may test at most one password per session during an
active attack.
What is a PAKE
• Password Authenticated Key-Exchange protocol.
• Goal: Establishment of strong cryptographic session keys from low entropy secrets.
• Attacks should be limited toonlinedictionary attacksonly. • A may test at most one password per session during an
active attack.
PAKEs Application I
Build secure channels relying only on shared passwords. • No need of PKI.
PAKEs Application II
Login scenarios while intrinsically protecting the user’s password.
• In 2018, 49% of phishing attacks where performed inhttps web pages (marked as secure by the browser).
• PAKEs prevent the compromise of the user’s password.
PAKEs Application II
Login scenarios while intrinsically protecting the user’s password.
• In 2018, 49% of phishing attacks where performed inhttps web pages (marked as secure by the browser).
• PAKEs prevent the compromise of the user’s password.
Motivation and Research Objectives
Our aim is to facilitate the adoption of PAKEs in real-world applications.
1. Examine whether the simulation-based and
indistinguishability-based security notions for PAKEs are equivalent.
2. Investigate whether the SPAKE2 protocol provably satisfies some meaningful notion of forward secrecy.
3. Investigate the relevance of tight security reductions for PAKE protocols.
We consider the computational-complexity approach in our analysis.
Security Models for PAKEs
IND-based
1. Find then Guess (IND-FtG) [BPR00]
2. Real or Random (IND-RoR) [AFP05]
SIM-based
• Boyko Mackenzie and Patel (SIM-BMP) [BMP00]
• Universally Composable PAKEs (UC) [CHKM05]
Security Models for PAKEs
IND-RoR SIM-BMP
IND-FtG SIM-UC
Fig. 1: Known relations between PAKE security definitions.
Security Models for PAKEs
IND-RoR SIM-BMP
IND-FtG SIM-UC
?
Fig. 2: Known relations between PAKE security definitions.
Real or Random Security Model (IND-RoR)
• Security defined by a game playedCH and A.
• initUser (U)
• initInstance (U, i, pid) • Send (U, i, m) • Execute (U, i, U′,i′)
• Corrupt (U) • Test (U, i)
• if b = 1 real session key. • if b = 0 random string.
Definition
Protocol P satisfies RoR security if∀ PPT A: AdvRoR
P (A) ≤ |D|k + negl(λ)
k: number of active instances
Simulation-based Security Model (SIM-BMP) I
Real World
• Real execution of the protocol.
• The adversary controls the network.
RW adv. is given access to the following queries:
• initUser (U).
• initInstance (U, i, pid). • Send (U, i, m). • Corrupt(U) • Application (f, U, i).
Transcript: RW(B)
Simulation-based Security Model (SIM-BMP) II Ideal World
• Defines the ideal functionality for a PAKE. • Secure by definition.
IW adv. (or simulator) is given access to the following queries:
• initUser (U).
• initInstance (U, i, pid). • Abort user instance (U, i). • Test instance password (U, i, π′).
• Start session (U, i). • Application (f, U, i). • Implementation.
Transcript: IW(B∗)
Simulation-based Security Model (SIM-BMP) III
Definition
Protocol P is SIM-BMP secure if:
∀B ∃B∗ s.t. RW(B)≈cIW(B∗) No assumption is made about the distribution of passwords.
SIM-BMP→ IND-RoR I
Theorem (SIM-BMP→ IND-RoR)
If protocol P satisfies SIM-BMP security, then P also satisfies IND-RoR security.
SIM-BMP→ IND-RoR II • We construct B fromA.
• The output is RW(B).
By SIM-BMP security definition: ∀B ∃B∗ s.t. RW(B)≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗are real-world and ideal-world adv. in SIM-BMP.
A is the adv. in RoR.
SIM-BMP→ IND-RoR II • We construct B fromA.
• The output is RW(B).
By SIM-BMP security definition:
∀B ∃B∗ s.t. RW(B)≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗are real-world and ideal-world adv. in SIM-BMP.
A is the adv. in RoR.
SIM-BMP→ IND-RoR II • We construct B fromA.
• The output is RW(B).
By SIM-BMP security definition:
∀B ∃B∗ s.t. RW(B)≈ cIW(B∗) • Build a distinguisherD(trx). 1← D(·) if real-world trx. 0← D(·) if ideal-world trx. AdvRoR P (A) ≤ k |D|+ negl(λ) · · · then P is IND-RoR secure. B, B∗are real-world and ideal-world adv. in SIM-BMP.
A is the adv. in RoR.
IND-RoR vs SIM-BMP
IND-RoR SIM-BMP
IND-FtG SIM-UC
?
Fig. 3: Could not prove by contradiction the implication.
SIM Security: Online Dictionary Attacks
SIM-BMP 1. Incorporate in the IW, the non-negligible probability of an adversary guessing the password.
• test instance password (U, i, π′).
P is SIM-BMP secure if∀D: ∀B ∃B∗ s.t. RW(B)≈
cIW(B∗)
SIM-BMP’
2. Do not incorporate in the IW the non-negligible probability of guessing the password.
• Relax the indistinguishability requirement.
P is SIM-BMP’ secure if∀D: ∀B ∃B∗ s.t. RW(B)k/|D|≈ IW(B∗)
k: number of active instances D: password dictionary
SIM-BMP’ Security Model
Definition
Protocol P is SIM-BMP’ secure if:
∀B ∃B∗ s.t. RW(B)k/|D|≈ IW(B∗)
SIM-BMP’ Security Model II
Theorem (SIM-BMP’→ IND-RoR)
If protocol P satisfies SIM-BMP’ security, then P also satisfies IND-RoR security.
Theorem (IND-RoR→ SIM-BMP’)
If protocol P satisfies IND-RoR security, then P also satisfies SIM-BMP’ security.
IND vs SIM Comparison Results
Our results (in blue) are summarized in the following diagram:
Without Forward Secrecy With Forward Secrecy
SIM-BMP′ FS-SIM-BMP′
IND-RoR SIM-BMP FS-IND-RoR FS-SIM-BMP
IND-FtG SIM-UC
Fig. 4: Relation between PAKE security definitions.
SPAKE2
• PAKE protocol by Abdalla and Pointcheval (CT-RSA 2005). • One round protocol.
• Currently in the process of standardization by the IEFT. • Proven secure in the IND-FtG security model (BPR).
... but without forward secrecy.
SPAKE2 - Description Client C Server S Public: M, N∈ G; Secret: π ∈ Zq x $ ←− Zq, X := gx y←− Z$ q, Y := gy X∗:=X· Mπ Y∗=Y· Nπ X∗ Y∗ σ := (NY∗π)x σ := (X ∗ Mπ)y sk := H(C, S, X∗,Y∗, σ, π) sk := H(C, S, X∗,Y∗, σ, π) Fig. 5: SPAKE2 protocol.
Forward Secrecy
“It ensures the protection of session keys even if the long-term secret of the participants gets later compromised” [DOW92].
• Weak Forward Secrecy (wFS).
Session keys generatedwithout the active interventionof
A, should remain secret to A,regardlessany Corrupt
query.
• Perfect Forward Secrecy (PFS).
Session keys established before any Corrupt (U) query should remain secret to the adversary.
• It is difficult to prove PFS for 1-round protocols with only implicit authentication.
Forward Secrecy
“It ensures the protection of session keys even if the long-term secret of the participants gets later compromised” [DOW92].
• Weak Forward Secrecy (wFS).
Session keys generatedwithout the active interventionof
A, should remain secret to A,regardlessany Corrupt
query.
• Perfect Forward Secrecy (PFS).
Session keys established before any Corrupt (U) query should remain secret to the adversary.
• It is difficult to prove PFS for 1-round protocols with only
implicit authentication.
Perfect vs week Forward Secrecy
Fig. 6:Sessions protected with PFS. Fig. 7:Sessions protected with wFS.
Perfect vs week Forward Secrecy
Fig. 6:Sessions protected with PFS. Fig. 7:Sessions protected with wFS.
SPAKE2 - Problematic Scenario
Adv.A(C) Server S
x $ ←− Zq, X := gx y←− Z$ q, Y := gy X∗:=X· Mπ1 X∗ Y∗=Y· Nπc σ := (MXπc∗ )y Y∗ sk := H(C, S, X∗,Y∗, σ, π c)
• An active adversary tries to impersonate C to S.
• Only implicit authentication : Server accepts (and might use) sk without confirming its intended partner.
SPAKE2 - Problematic Scenario
Adv.A(C) Server S
x← Zq, X := gx y← Zq, Y := gy X∗:=X· Mπ1 X∗ Y∗=Y· Nπc σ := (MXπ∗c)y Y∗ sk := H(C, S, X∗,Y∗, σ, πc) .. . Corrupt (S)
1. Perfect Forward Secrecy. • sk must be secret toA. 2. Weak Forward Secrecy.
• Does not guarantee the secrecy of sk.
SPAKE2 - Problematic Scenario
Adv.A(C) Server S
x← Zq, X := gx y← Zq, Y := gy X∗:=X· Mπ1 X∗ Y∗=Y· Nπc σ := (MXπ∗c)y Y∗ sk := H(C, S, X∗,Y∗, σ, πc) .. . Corrupt (S)
1. Perfect Forward Secrecy. • sk must be secret toA.
2. Weak Forward Secrecy.
• Does not guarantee the secrecy of sk.
SPAKE2 - weak Forward Secrecy
Theorem
SPAKE2 is secure in the BPR model with weak Forward Secrecy under the CDH and CSDH assumptions:
AdvwFS-FtGP (A) ≤ nse |D| + O ( (nse+nex)(nse+nex+nro) q + nro· AdvCDHG (BA) +nsenro· AdvCDHG ( ˆBA) + (nro)2· AdvCSDHG ( ˜BA) ) . D: password dictionary nse: number of Send queries nex: number of Execute queries nro: number of random oracle queries
PFS-SPAKE2
• Incorporating key-confirmation codes to SPAKE2 results in PFS-SPAKE2.
• Explicit mutual authentication. • Remove one CRS.
• Computationally more efficient (client side).
PFS-SPAKE2 - Security
Theorem
PFS-SPAKE2 is secure in the BPR model with Perfect Forward Secrecy under the CDH assumption:
AdvwFS-FtGP (A) ≤ nse |D| +O ( (nse+nex)(nse+nex+nro) q + nro· AdvCDHG (BA) + nsenro· AdvCDHG ( ˆBA) + (nro)2· AdvCDHG ( ˜BA) ) . D: password dictionary nse: number of Send queries nex: number of Execute queries nro: number of random oracle queries
Tight Reductions Hard Problem π advantage = ϵπ running time = tπ Protocol P advantage = ϵ running time = t
An adversary running in time t with advantage ϵ give us a
π-solver running in time tπ with advantage ϵπ.
• The protocol is secure if such solver does not exist.
Tight Reductions Hard Problem π advantage = ϵπ running time = tπ Protocol P advantage = ϵ running time = t
The reduction istightif
ϵ
t =c·
ϵπ
tπ
.
• Preserve strength of hardness assumption.
Why Tight Reductions?
The reduction is not tight if: ϵ >> ϵπ or tπ >>t. • ϵ≤L· ϵπ, for large L:security degradation factor. For instance consider:
• Desired security level of 150 bits for the protocol. • L = 240degradation factor.
ϵ≤ L · ϵπ 2−150=240· 2−190
• Then the hardness assumption needs to provide at least 190 bits of security→larger parameters and less efficient impl.
PAK Protocol
• Boyko, Mackenzie and Patel 2001.
• PAKE protocol with explicit mutual authentication. • Low computation and communication cost. • Satisfies forward secrecy.
• Currently under consideration by IETF for standardization.
• Patent expired in 2017.
Initialization Public:G, g, q; H : {0, 1}∗→ G; H1,H2,H3:{0, 1}∗→ {0, 1}k; Client Server Secret: π πS[C] = (H(πC))−1 x $ ←− Zq, α := gx γ :=H1(π) m := α· γ C, m y $ ←− Zq, µ := gy γ′:= πS[C] σ := (m· γ′)y,i.e. σ = DH(α, µ) k := H2(C, S, m, µ, σ, γ′) k′′:=H3(C, S, m, µ, σ, γ′) σ := µx,i.e. σ = DH(α, µ) µ,k sk := H4(C, S, m, µ, σ, γ′) γ′:= γ−1 abort if k̸= H2(C, S, m, µ, σ, γ′) k′:=H3(C, S, m, µ, σ, γ′) sk := H4(C, S, m, µ, σ, γ′) k′ abort if k′̸= k′′
Fig. 8: PAK protocol.
Non-tight Reduction in PAK I PAK security proof is not tight:
AdvPAKG (A) ≤ nse
|D| +O
(
nse· (nro)2· AdvCDHG (BA)
)
We consider realistic parameters:
• G has order q = 2256→ AdvCDH
G ≤ 2−128. • nse≈ 230: Number of Send queries.
• nro≈ 263: Number of random oracle queries.
nse· (nro)2· AdvCDHG (BA) >>1 . . . is meaningless.
Non-tight Reduction in PAK II
• Instantiation over prime order groups. • Both CDH and DDH are hard. • Security proof relies on the CDH
assumption and RO model. • Construct a CDH-solver algorithm:
H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ2, π)
...
H(m, µ,· · · ,σro, π)
How can the simulator choose thecorrectσs.t.
Non-tight Reduction in PAK II
• Instantiation over prime order groups. • Both CDH and DDH are hard. • Security proof relies on the CDH
assumption and RO model. • Construct a CDH-solver algorithm:
H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ2, π)
...
H(m, µ,· · · ,σro, π)
How can the simulator choose thecorrectσs.t.
Non-tight Reduction in PAK II
• Instantiation over prime order groups. • Both CDH and DDH are hard. • Security proof relies on the CDH
assumption and RO model. • Construct a CDH-solver algorithm:
H(m, µ,· · · ,σ1, π) H(m, µ,· · · ,σ2, π)
...
H(m, µ,· · · ,σro, π)
How can the simulator choose thecorrectσs.t.
Tightly-secure PAK Our solution:
• Instantiate PAK over Gap Diffie-Hellman groups, e.g.
billinear groups.
• Tight reduction from Gap-DH. Theorem
AdvPAK(A) ≤ nse
|D| +8· Adv
Gap-DH
G (BA)
More efficient implementations.
• PAK andG provide the same security level w.r.t. the Gap-DH problem.
Tightly-secure PAK Our solution:
• Instantiate PAK over Gap Diffie-Hellman groups, e.g.
billinear groups.
• Tight reduction from Gap-DH. Theorem
AdvPAK(A) ≤ nse
|D| +8· Adv
Gap-DH
G (BA)
More efficient implementations.
• PAK andG provide the same security level w.r.t. the Gap-DH problem.
Summary of our Contributions
• Proved that the original SPAKE2 satisfies weak Forward Secrecy.
• SPAKE2 with key-confirmation codes satisfies Perfect Forward Secrecy.
• Tight security reduction for the PAK protocol.
• The same technique could be applied to other EKE-based protocols, e.g. PPK, SPAKE2.
• Comparison between SIM-BMP and IND-RoR security models for PAKEs.
• SIM-BMP−→ IND-RoR.
• SIM-BMP’←→ IND-RoR.
Q & A